Phase 3 follow-up.
The initial Phase 3 PR landed the detection-pack metadata model, the registry of 6 packs, and the ListDetectionPacks RPC. It deliberately did not add new evaluators because each new rule needs a TS-parity fixture, a tests/<provider>-rules.test.ts entry, a worker_db_test.go case, and a matrix update in tests/fixtures/worker-parity/ingestion-rule-matrix.json. This issue tracks adding those.
Detections to add (one commit per rule preferred)
- github.branch_protection_disabled (Severity HIGH, MITRE T1562.001, tag policy.weakened, pack aperio.github.core.v1)
- Fires on
BRANCH_PROTECTION_DISABLED, PROTECTED_BRANCH_DESTROY, and PROTECTED_BRANCH_UPDATE when changes contains a weakening key.
- slack.external_user_added_to_private_channel (Severity HIGH, MITRE T1098, T1530, tags data.external_share + data.access, pack aperio.slack.core.v1)
- Fires on
EXTERNAL_USER_ADDED_TO_PRIVATE_CHANNEL and GUEST_ADDED_TO_PRIVATE_CHANNEL.
- google_workspace.mass_drive_download (Severity CRITICAL, MITRE T1530, T1213.002, tags data.access + data.external_share, pack aperio.google_workspace.drive.v1)
- Fires on
MASS_DRIVE_DOWNLOAD and DRIVE_MASS_DOWNLOAD; threshold sourced from parameters.download_count + parameters.window_minutes.
Per-rule checklist
- Add evaluator in
internal/ingestionworker/worker.go and dispatch from Evaluate().
- Extend
supportedIngestionEventTypes for the provider.
- Add
RuleCatalog entry (pack metadata already covered, copy from this issue).
- Add fixture under
tests/fixtures/worker-parity/ with positive, alias, and negative payloads.
- Add a
tests/<provider>-rules.test.ts consumer of the fixture.
- Add worker_db_test.go scenario asserting end-to-end persistence path.
- Update
tests/fixtures/worker-parity/ingestion-rule-matrix.json row.
Acceptance
npm run guardrails:migration and npm run test:api stay green.go test ./... stays green.- Catalog parity tests in
internal/ingestionworker/rules_catalog_test.go cover the new rules.
ListDetectionPacks automatically surfaces them under the right pack with no API changes.
Phase 3 follow-up.
The initial Phase 3 PR landed the detection-pack metadata model, the registry of 6 packs, and the
ListDetectionPacksRPC. It deliberately did not add new evaluators because each new rule needs a TS-parity fixture, atests/<provider>-rules.test.tsentry, a worker_db_test.go case, and a matrix update intests/fixtures/worker-parity/ingestion-rule-matrix.json. This issue tracks adding those.Detections to add (one commit per rule preferred)
BRANCH_PROTECTION_DISABLED,PROTECTED_BRANCH_DESTROY, andPROTECTED_BRANCH_UPDATEwhenchangescontains a weakening key.EXTERNAL_USER_ADDED_TO_PRIVATE_CHANNELandGUEST_ADDED_TO_PRIVATE_CHANNEL.MASS_DRIVE_DOWNLOADandDRIVE_MASS_DOWNLOAD; threshold sourced fromparameters.download_count+parameters.window_minutes.Per-rule checklist
internal/ingestionworker/worker.goand dispatch fromEvaluate().supportedIngestionEventTypesfor the provider.RuleCatalogentry (pack metadata already covered, copy from this issue).tests/fixtures/worker-parity/with positive, alias, and negative payloads.tests/<provider>-rules.test.tsconsumer of the fixture.tests/fixtures/worker-parity/ingestion-rule-matrix.jsonrow.Acceptance
npm run guardrails:migrationandnpm run test:apistay green.go test ./...stays green.internal/ingestionworker/rules_catalog_test.gocover the new rules.ListDetectionPacksautomatically surfaces them under the right pack with no API changes.